Manage incident response procedures using Sentry.
Use when investigating production issues, triaging errors,
or creating incident response workflows.
Trigger with phrases like "sentry incident response", "sentry triage",
"investigate sentry error", "sentry runbook".
Structured incident response framework built on Sentry's error monitoring platform. Covers the full lifecycle from alert detection through severity classification, root cause investigation using Sentry's breadcrumbs and stack traces, Discover queries for impact analysis, stakeholder communication, resolution via the Sentry API, and postmortem documentation with Sentry data exports.
Prerequisites
Sentry account with project-level access and auth token (SENTRY_AUTH_TOKEN)
Organization slug (SENTRY_ORG) and project slug (SENTRY_PROJECT) configured
@sentry/node (v8+) or equivalent SDK installed in the application
Alert rules configured for critical error thresholds
Notification channels connected (Slack integration or PagerDuty)
Instructions
Step 1 — Classify Severity
Assign a severity level based on error frequency and user impact. This determines response time and escalation path.
Severity
Error Criteria
User Impact
Response Time
Escalation
P0 — Critical
Crash-free rate below 95% or unhandled exception spike >500/min
# Mark issue as resolved (closes the issue)
curl -s -X PUT \
-H "Authorization: Bearer $SENTRY_AUTH_TOKEN" \
-H "Content-Type: application/json" \
-d '{"status": "resolved"}' \
"https://sentry.io/api/0/organizations/$SENTRY_ORG/issues/$ISSUE_ID/" \
| python3 -c "import json,sys; d=json.load(sys.stdin); print(f'Status: {d.get(\"status\",\"unknown\")}')" \
|| echo "ERROR: Failed to resolve issue"
# Resolve in next release (auto-reopens on regression)
curl -s -X PUT \
-H "Authorization: Bearer $SENTRY_AUTH_TOKEN" \
-H "Content-Type: application/json" \
-d '{"status": "resolved", "statusDetails": {"inNextRelease": true}}' \
"https://sentry.io/api/0/organizations/$SENTRY_ORG/issues/$ISSUE_ID/" \
| python3 -c "import json,sys; d=json.load(sys.stdin); print(f'Status: {d.get(\"status\",\"unknown\")} (regression detection enabled)')" \
|| echo "ERROR: Failed to resolve issue"
# Ignore with threshold (snooze until count exceeds limit)
# Use 100 as the re-alert threshold for noisy low-severity issues
curl -s -X PUT \
-H "Authorization: Bearer $SENTRY_AUTH_TOKEN" \
-H "Content-Type: application/json" \
-d '{"status": "ignored", "statusDetails": {"ignoreCount": 100}}' \
"https://sentry.io/api/0/organizations/$SENTRY_ORG/issues/$ISSUE_ID/" \
| python3 -c "import json,sys; d=json.load(sys.stdin); print(f'Status: {d.get(\"status\",\"unknown\")} (snoozed until 100 events)')" \
|| echo "ERROR: Failed to ignore issue"
Stakeholder communication templates:
Initial alert (send within 15 minutes of P0):
INCIDENT — [Service Name]
Status: Investigating
Impact: [Description of user-facing symptoms]
Started: [Timestamp from Sentry "First Seen"]
Sentry Issue: [Link to issue]
Incident Lead: @[on-call engineer]
Next update: 30 minutes
Resolution notice:
RESOLVED — [Service Name]
Duration: [Total incident time from first alert to resolution]
Root Cause: [One-line description from investigation]
Fix Applied: [What changed — rollback, hotfix, config change]
Postmortem: [Link — due within 48 hours]
Postmortem template with Sentry data:
## Incident Postmortem: [Title from Sentry Issue]
### Timeline
- [HH:MM] Alert fired — Sentry issue [ISSUE_ID] created
- [HH:MM] On-call engineer acknowledged
- [HH:MM] Root cause identified via [breadcrumbs / stack trace / suspect commits]
- [HH:MM] Fix deployed — [rollback / hotfix description]
- [HH:MM] Error rate returned to baseline, issue resolved in Sentry
### Impact (from Sentry Discover)
- **Duration:** [X hours Y minutes]
- **Total events:** [count() from Discover query]
- **Unique users affected:** [count_unique(user) from Discover query]
- **p95 latency during incident:** [p95(transaction.duration) from Discover]
### Root Cause (5 Whys)
1. Why did the error occur? [Direct cause from stack trace]
2. Why was that code path triggered? [From breadcrumbs]
3. Why was it not caught in testing? [Gap analysis]
4. Why did the alert take [X] minutes? [Alert rule review]
5. Why is this class of error possible? [Systemic cause]
### Action Items
- [ ] [Preventive measure] — Owner: @[name] — Due: [date]
- [ ] Update Sentry alert rules to catch [pattern] earlier
- [ ] Add regression test covering [scenario from breadcrumbs]
- [ ] Review and tighten ownership rules for [component]
Output
Severity classification (P0-P3) based on error frequency and user impact
Completed triage checklist with root cause identification
API-driven issue resolution with regression detection enabled
Stakeholder communication messages (initial alert + resolution)
Postmortem document populated with Sentry data exports
Error Handling
Error
Cause
Solution
401 Unauthorized from Sentry API
Auth token expired or lacks org-level scope
Regenerate token at Settings > Developer Settings > Internal Integrations with event:read, issue:write scopes
Alert fatigue — too many P2/P3 alerts
Alert rules trigger on every event instead of thresholds
Change alert condition to "New issue" or "Event frequency > N in M minutes"
Suspect Commits shows wrong commit
Release association not configured
Run sentry-cli releases set-commits --auto in CI pipeline
Missing breadcrumbs in events
SDK not capturing HTTP/console/navigation breadcrumbs
Verify Sentry.init({ integrations: [breadcrumbsIntegration()] }) and check maxBreadcrumbs setting
Issue keeps regressing after resolve
Root cause not fully addressed, only symptom fixed
Use "Resolve in next release" for auto-reopen, add regression test
Discover query returns empty data
Wrong time range or missing event.type filter
Expand statsPeriod to 7d, verify query syntax in Sentry Discover UI first
Examples
Example 1 — P0 payment failure spike:
An alert fires: PaymentProcessingError with 200 events in 5 minutes. Triage reveals crash-free rate dropped to 91%. Breadcrumbs show the Stripe webhook handler receiving malformed payloads after a Stripe API version change. Suspect Commits points to a dependency update merged 20 minutes ago. Resolution: rollback the deployment, resolve the Sentry issue with inNextRelease, file a postmortem with the 5 Whys showing the missing Stripe API version pin.
Example 2 — P2 intermittent 503 from upstream API:
Sentry shows ServiceUnavailableError affecting 40 users/hour. Discover query reveals count() = 180, count_unique(user) = 40, p95(transaction.duration) = 8200ms. Breadcrumbs show the third-party geocoding API returning 503. Resolution: enable the circuit breaker fallback to cached results, ignore the Sentry issue with ignoreCount: 100, create a backlog item to add a secondary geocoding provider.
Example 3 — P1 new unhandled exception after deploy:
A TypeError: Cannot read properties of undefined appears immediately after a release tagged v2.4.1. First Seen matches the deploy timestamp. Stack trace points to a renamed API response field. Suspect Commits identifies the exact PR. Resolution: deploy hotfix renaming the field access, resolve the issue tied to v2.4.2, update the postmortem with Discover data showing 320 affected users over 45 minutes.
For configuring Sentry alerts and error capture, see sentry-error-capture. For CI/CD integration with Sentry releases, see sentry-ci-integration. For performance monitoring and tracing, see sentry-performance-tracing.